A decades-old industrial communications protocol still used to connect controllers, sensors, and monitoring equipment is leaving some critical infrastructure systems exposed online.
Researchers at Comparitech said they identified 179 likely real industrial control system devices reachable over Modbus, a protocol designed for closed industrial networks, across 20 countries. Some of the exposed devices appeared tied to railway and power infrastructure, underscoring how a long-recognized OT security problem continues to surface in sensitive environments.
The issue is not simply that Modbus is old. Many legacy technologies remain in service across industrial settings. The problem is that devices using the protocol are still directly reachable over port 502, the standard port for Modbus traffic, even though the protocol was never intended to face public networks.
According to Comparitech, one exposed device appeared to be part of a national railway network, while two others appeared connected to national power grid infrastructure in Asia and Europe. Those findings suggest the exposure is not confined to lower-risk environments and that weaknesses in OT security can still appear in sectors where disruption could have physical consequences.
Why Modbus Remains a Risk
Modbus was designed to allow controllers, sensors, and field devices to exchange data within environments assumed to be isolated. That design assumption becomes a liability once a device is placed on a public IP address. Unlike modern secure communications systems, Modbus does not natively provide authentication or encryption.
In practice, that means a publicly reachable Modbus device may have no built-in way to verify who is connecting or to protect the data being exchanged. Comparitech said outsiders may be able to read holding registers and, in some cases, write to them as well. Depending on the device, those registers can contain operational data such as voltage, current, pressure, flow, or switch states. In some situations, unauthorized changes could affect the physical system the device is helping manage.
What Researchers Found
The researchers said they were able to identify more than open ports. The exposed devices included logic controllers, processor modules, energy meters, and voltage and power loggers from vendors including Schneider Electric, ABB Stotz-Kontakt, Data Electronics, Fastwel, eGauge, and A. Eberle. That allowed the researchers to draw conclusions about how the devices were likely being used, including for logic control, power monitoring, and data logging.
That level of visibility can also work in an attacker’s favor. When a device reveals its make or model, publicly available vendor documentation can often be used to interpret register contents. Those register maps can connect raw values to real-world functions such as voltage, current, temperature, pressure, flow, switch states, motor controls, target values, and error codes. Even when a device does not identify itself clearly, Comparitech said someone observing register values over time may still be able to infer aspects of the system’s behavior.
To illustrate the point, the researchers said they used a publicly available register list for a Schneider PowerLogic EM4880 to chart the energy consumption of a live installation. The example shows how an exposed Modbus device can reveal more than the fact that it is online; it can also provide a window into operations inside a facility.
A Failure of OT Basics
The report does not describe a new exploit so much as a familiar security lapse. Internet exposure is the first problem, and the risk grows when segmentation and access controls are weak or missing. That is what continues to make legacy OT systems vulnerable once they are connected to public IP networks without adequate safeguards.
The broader takeaway is that basic OT security practices remain uneven. Firewalls, network segmentation, controlled remote access, and current asset inventories are not new defenses, but they remain central to reducing risk in industrial environments. When those controls fail, older protocols can become an avoidable source of exposure.
“Attackers don’t need a single catastrophic vulnerability if they can enumerate environments, chain small weaknesses, and establish footholds across multiple sites,” saidLarry Pesce, Vice President of Services at Finite State. “At that point, even minor disruptions can aggregate into operational, safety, or economic consequences.”
What Defenders Should Do
For defenders, the immediate steps are relatively straightforward. Organizations can scan external IP ranges for anything responding on port 502 and remove direct public access to ICS and PLC devices where possible.
“Recent surges in activity from state-affiliated actors targeting similar vulnerabilities underscore that this is no longer a theoretical risk but an active targeting priority,” said Damon Small, a board member at Xcape, Inc. “Security teams must move beyond simple port blocking and verify that any necessary remote access is tunneled through a robust VPN or a secure gateway with granular identity controls.”
Comparitech’s findings suggest that, despite years of warnings about internet-facing industrial systems, some of the same weaknesses remain. In sectors such as power and transportation, that leaves an aging protocol as a continuing modern risk.
